January 22, 2021

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) introduced the Cybersecurity Maturity Model Certification (CMMC) in January 2020 as a unified cybersecurity standard for new Department of Defense (DoD) acquisitions. Combining NIST and other cybersecurity frameworks, CMMC is intended to measure cybersecurity maturity using a unified framework that includes maturity processes and cybersecurity best practices. The ultimate goal is to ensure that DoD contractors are keeping Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) safe and secure.

While CMMC specifications apply to only some contracts now and are expected to become part of DoD procurement in 2026, now is the time to begin pursuing CMMC compliance. If your organization does business with DoD as either a prime contractor or a subcontractor, begin by familiarizing your organization with the standards and best practices and consider an assessment to prepare for compliance for future contracts.

The CMMC Framework and Certification Levels

CMMC is based on five cybersecurity maturity levels ranging from “basic cybersecurity hygiene” to “advanced/progressive” which are comprised of an interconnected set of components consisting of domains, processes, capabilities and practices. The required certification level is entirely dependent upon the type of contract and based on the sensitivity of the information your organization will handle. A comprehensive explanation of the CMMC model can be found on the Office of the Under Secretary of Defense for Acquisition & Sustainment’s Cybersecurity Maturity Model Certification page.

Most contractors and subcontractors will be required to comply with Level 1.

Level 1 – Basic Cybersecurity Hygiene

Level 1 focuses on the performance of specific practices applicable to basic safeguarding of information systems and Federal Contract Information (FCI). Organizations that possess FCI, but do not possess, store, or transmit Controlled Unclassified Information (CUI), must only comply with requirements of CMMC Level 1. These practices may be performed ad-hoc and may not necessarily rely on formalized policies and procedures or documentation, which is why performance is emphasized in Level 1, as opposed to process maturity. Level 1 includes practices across the following domains: Access Control (AC), Identification and Authentication (IA), Media Protection (MP), Physical Protection (PE), System and Communications Protection (SC), and System and Information Integrity (SI).

The 17 practices identified in Level 1 (above) are specified in 48 CFD 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and also incorporate basic practices from NIST SP 800-171r1, although this framework is more heavily incorporated into Levels 2-3. Therefore, since CMMC leverages existing practices/frameworks, it is likely that contractors/subcontractors are already compliant with the minimum requirements outlined in Level 1 Basic Cybersecurity Hygiene and must have an audit performed in order to achieve certification. However, based on the complexity of the organization and if they store, process, or transmit any CUI, there may be additional practices that need to be implemented in order to comply with the requirements of a higher maturity level.

How to Begin – The CMMC Assessment

To assess what your organization needs to do in order to achieve compliance, begin with an assessment. A CMMC assessment will help you determine your organization’s current cybersecurity maturity level and identify any gaps between your existing cybersecurity measures and the required level of compliance for the DoD contract. Depending on the size of your organization and the information technology resources you have available, you can perform this assessment in-house or with the assistance of a third-party. For details about CMMC assessments, see the CMMC Assessment Guides.

Certification is generally valid for 3 years. As the DoD moves toward implementation of Levels 4 and 5 requirement, many organizations will need to review their compliance again if future contacts require them to handle more sensitive information and data.

Next Steps for Government Contractors

Before competing for your next government contract, become familiar with the CMMC framework and determine which certification level your organization will need to achieve. Next, work with a cybersecurity consultant to assess your organization’s compliance prior to seeking certification. For more information about cybersecurity assessments or the CMMC certification process, contact Melissa Musser, CPA, CITP, CISA, Principal, Risk & Advisory Services at mmusser@grfcpac.com.